Current through Register 1531, September 27, 2024
(1) Requests for Data that do not fall under
the categories described in
957 CMR
5.03,
5.04
or
5.05
shall be made in writing by filing an application with CHIA in a form specified
by CHIA as provided on its Website.
(2) In any application for Data under 957 CMR
5.06, each Applicant shall:
(a) identify and
demonstrate a need for the Protected Health Information requested and for those
specific data elements CHIA deems necessary to protect individual
privacy;
(b) specify the purpose of
the request, including the intended use(s) of the Data, a detailed project
description that describes any other data sources to be used for the project
and, if applicable, the research methodology;
(c) specify security and privacy measures
that will be taken in order to safeguard patient privacy and prevent
unauthorized access to or use of the Data;
(d) specify the Applicant's methodology for
maintaining data integrity and accuracy; and
(e) describe how, or if, the results of the
Applicant's analysis will be published.
(3) Applicants requesting Protected Health
Information of Medicaid recipients will be required to demonstrate compliance
with 42 U.S.C. § 1396a(a)(7) to the satisfaction of both CHIA and the
Executive Office of Health and Human Services.
(4) Applicants requesting Medicare Data will
be required to demonstrate compliance with CMS requirements regarding access to
and use of such Data.
(5)
Applications for Data filed under 957 CMR 5.06 will be posted on CHIA's
Website. CHIA will not post those portions of applications that specify an
Applicant's proposed data security measures.
(6) CHIA will invite public comments on
applications for at least ten business days following the day on which the
application is posted on the Website.
(7) Applications for Data under 957 CMR 5.06
shall be reviewed by a Data Privacy Committee comprised of CHIA employees or
contractors with relevant experience in data privacy, data security,
information technology and research.
(a) In
reviewing each application for Data submitted pursuant to 957 CMR 5.06, the
Data Privacy Committee shall determine whether the Applicant has met the
criteria for release specified in 957 CMR 5.06(9).
(b) The Data Privacy Committee shall prepare
a written recommendation for the Executive Director specifying whether the
application should be approved, approved with conditions or denied.
(8) All applications for Data
under 957 CMR 5.06 shall be reviewed by the Data Release Committee established
under
957 CMR
5.08.
(9) The Executive Director will approve an
application if he or she determines that the Applicant has met the following
criteria:
(a) There is no more than a minimal
risk to individual privacy based on:
1. an
adequate plan to protect Protected Health Information;
2. a written commitment to return or destroy
Data upon completion of the project for which the Data is sought; and
3. written assurances restricting the use of
Data to the specific uses identified in the application.
(b) The Applicant cannot meet its research or
project objectives without the requested Data.
(c) The Data sought by the Applicant is the
minimum amount necessary to achieve the Applicant's research or project
objectives.
(d) The purpose for
which the Data is requested is in the public interest. Uses that serve the
public interest include, but are not limited to:
1. health cost and utilization analysis to
formulate public policy;
2. studies
that promote improvement in population health, health care quality or
access;
3. health planning and
resource allocation studies; and
4.
studies directly tied to evaluation or improvement of Massachusetts state
government initiatives.
(e) The Applicant has demonstrated it is
qualified to undertake the study or accomplish the intended use.
(10) The Executive Director's
decisions to approve or deny applications for Data are final and not subject to
further review or appeal.
(11) The
Executive Director may impose conditions on the subsequent use and disclosure
of any Data released under 957 CMR 5.06.
(12) All Applicants for Data shall enter into
a Data Use Agreement with CHIA prior to the receipt of any Data. The Data Use
Agreement shall, at a minimum:
(a) Restrict
the use of the Data to those uses identified in the application and approved by
the Executive Director;
(b) Commit
the Applicant to return or destroy the Data received from CHIA upon completion
of the project for which the use of the Data was approved. All data destruction
must comport with M.G.L. c. 931 and any other applicable state or federal
law;
(c) Require the Applicant to
adhere to processes and procedures aimed at preventing unauthorized access,
disclosure or use of the Data;
(d)
Require the Applicant to notify CHIA of any unauthorized use or disclosure of
the Data;
(e) Permit CHIA, at its
discretion, to review all analyses, research or other products created or based
on Protected Health Information provided by CHIA prior to the release or
disclosure of any such analysis, research or product; and
(f) Permit CHIA, at its discretion, to audit
the Applicant's compliance with the provisions of the Data Use
Agreement.